CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous...

www.cloudsecurityalliance.orgCopyright © 2013 CloudSecurity Alliance

CSA Cloud Trust Protocol andA4Cloud:

Enforcing cloud accountabilitythrough security continuous

monitoringNovember 2013, Research Council of Norway

Daniele Catteddu, CSA Managing Director EMEA and OCF Project Director

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

About the Cloud Security Alliance

Global, not-for-profit organisation

Over 48,000 individual members, more than 180corporate members, and 65 chapters

Building best practices and a trusted cloud ecosystem

Agile philosophy, rapid development of applied researchGRC: Balance compliance with risk management

Reference models: build using existing standards

Identity: a key foundation of a functioning cloud economy

Champion interoperability

Enable innovation

Advocacy of prudent public policy

“To promote the use of best practices for providing securityassurance within Cloud Computing, and provide education on the

uses of Cloud Computing to help secure all other forms of

computing.”


SecurityBenefits


SecurityBenefits

Economy of Scale


RISKS


OPENNESS & TRANSPARENCY


NEW GOVERNANCE MODELS


ACCOUNTABILITY

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Cloud Accountability Project

The project focuses on accountability as themost critical prerequisite for effectivegovernance and control of corporate and privatedata processed by cloud-based IT services.

It aims to assist cloud service providers with:

• Techniques to make services moretrustworthy

• Ways to satisfy business policies anddemonstrate compliance

• Allowing differentiation


A4Cloud Members

Industry

Community

Research


Globalisation and new technologies• Cloud computing presents a paradigm shift in how IT is deployed and consumed

Uncertainty and lack of visibility (for consumers, clients andregulators)• Privacy and trust comes from sound stewardship of information by service providers

for which we need to hold them accountable

Regulatory complexity in global business environments,especially for cloud• Accountability addresses global interoperability

• Clear and consistent framework of data protection rules

• Allows avoidance of complex matrix of national laws and reduces unnecessary layersof complexity for cloud providers

• New technologies like cloud are straining traditional privacy frameworks

Drivers for accountability


Context

Principles,Regulations andSocietal Norms

DesignAccountability

What is the rightthing?

How to do the rightthing

Trying to getorganisations to do the

right thing

Holding them toaccount if they don’t Facilitating redress

supports

complements


Context

Principles,Regulations andSocietal Norms

DesignAccountability

What is the rightthing?

How to do the rightthing

Trying to getorganisations to do the

right thing

Holding them toaccount if they don’t Facilitating redress

supports

complements

Control over practicalaspects of compliance

Obligation to provethat principles put

into effect


Cloud ecosystem


Model of Accountability


Accountability

Attributes

Practices

Mechanisms

organisational

operational

abstract

concrete

conceptual

Conceptual model ofaccountability

With what?

How?

What?


Accountability

Attributes

Practices

Mechanisms

Defining accountability

Accountability consists of defining

governance to comply in a

responsible manner with internal

and external criteria, ensuring

implementation of appropriate

actions, explaining and justifying

those actions and remedying any

failure to act properly.


• Observabililty

• Verifiability

• Attributability

• Transparency

• Responsibility

• Liability

• Remediation

Accountability attributes

Accountability

Attributes

Practices

Mechanisms


• Define governance

• Ensure implementation

• Explain & justify actions

• Remedy failures

Accountability practices

Accountability

Attributes

Practices

Mechanisms


Accountability

Attributes

Practices

Mechanisms

• Business processes

• Non-technical

instruments

• Technical tools

Accountability mechanisms

contain



• Non-technical

instruments

• Technical tools

Accountability Mechanisms

contain

Auditing,Risk assessment, etc

Accountability

Attributes

Practices

Mechanisms



• Non-technical

instruments

• Technical tools


contain

Contracts,Legal means, etc

Accountability

Attributes

Practices

Mechanisms



• Non-technical

instruments

• Technical tools


contain

Tracking andtransparency toolsNotification of policyviolation, etc

Accountability

Attributes

Practices

Mechanisms


• Accountability framework

• Accountability metrics• Accountability evidence

mechanisms and tools• Auditing mechanisms

and tools

• Policy compliancemechanisms and tools

• Reference architecturefor accountability

• Interoperablemechanisms and tools

What is needed

A4Cloud project

Trustworthyarchitecture

Privacyassurance

Trustassurance

GovernanceSecurityand trust

economics

Policies

Transparent

security

• Risk and trust models foraccountability

• Accountability policylanguage

• Enforcementmechanisms foraccountability

• User-centricaccountability tools


A4Cloud & CSA

A4Cloud results are relevant to a number ofnumber of CSA research, educational activities,as well as in the context of the Open CertificationFramework


The Cloud Trust Protocol (CTP) is designed to be amechanism by which cloud service clients can ask for andreceive information related to the security of the servicesthey use in the cloud, promoting transparency and trust.


An idea for a consumer/provider protocol

+ Commitments= Reports + Alerts

CTPconsumer provider

Confidentialitylevel

Uptime…


Transparency and trust

OCF level 2: Third-party cloud certification

OCF level 1: Cloud self-certification

OCF level 3: Cloud monitoring based certification

Goal: Transparency and trust

www.cloudsecurityalliance.org

What we have today…

1. API & Data Model1. API & Data Model

2. Security attributecatalogue

2. Security attributecatalogue

3. A prototype3. A prototype

What is…A report, a commitment, an alert?A security attribute?A resource, a service?

“Availability”, “timely incident reporting”,“confidentiality level”…

REST + XML

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance


The API is the easy part...


Challenge 1:

Standardizing cloud security attributes

0.06 kWh 0.06 kWh 0.06 kWh

99.95% 99.95% 99.95%

= =

=

Cloud availability

Electricity consumption

=



Challenge 2:

Finding good security attributes

1Vulnerability found

5Vulnerabilities found

<?

100 vulnerabilities published in 2013 (NVD)9 relevant to our platform8 tested1 found exploitable (severity=6.0)Time between discovery and fix = 5 days.



Challenge 3:

Fitting CTP in OCF level 3


The CSA Open Certification Framework is an industry initiative toallow global, accredited, trusted certification of cloud providers.


Challenge 4:

Integrating CTP in A4Cloud


Lessons already learned

Well defined - consistently measured

Cheap to evaluate – automated

Correlated to consumer utility

Some interesting but tricky areas:

Vulnerability management, data location, staff data

access, incident response….

Good attributes need to be:


Now it’s your turn!


The CTP working group

Objective 1: Define CTP Vision, goals, design principles.

Objective 2: Define CTP data model.

Objective 3: Specify the CTP API.

Objective 4: Specify CTP core security attributes.

Objective 5: Implement a CTP pilot.

Objective 6: Support OCF monitoring based certification

CSA launches the CTP working group:


Help Us Secure Cloud Computingwww.cloudsecurityalliance.org

[email protected]

[email protected]

www.linkedin.com/groups?gid=1864210

www.a4cloud.eu

CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous...

Technology

Transcript of CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous...